Skip to main content
CVE-2020-10148 CRITICAL POC KEV THREAT Emergency

SolarWinds Orion API contains an authentication bypass that allows unauthenticated remote attackers to execute API commands, related to the massive SUNBURST supply chain attack discovered in December 2020.

NVD
CVSS 3.1
9.8
EPSS
94.3%
Threat
9.8
CVE-2020-10210 CRITICAL POC Act Now

Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ak45X Firmware Ak5Xx Firmware Ak65X Firmware Aria6Xx Firmware +2
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-10207 CRITICAL POC Act Now

Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ak45X Firmware Ak5Xx Firmware Ak65X Firmware Aria6Xx Firmware +2
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2020-28283 CRITICAL POC Act Now

Prototype pollution vulnerability in 'libnested' versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Libnested
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2020-28282 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Getobject
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2020-28281 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Set Object Value
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2020-28280 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Predefine
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-28279 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Flattenizer
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-28278 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Shvl
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-28277 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Dset
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-28276 CRITICAL POC Act Now

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Deep Set
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-35773 HIGH POC PATCH This Week

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Site Offline
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-26287 HIGH POC PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Google Hedgedoc
NVD GitHub
CVSS 3.1
8.7
EPSS
1.4%
CVE-2020-35769 CRITICAL PATCH Act Now

miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Webmin
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-35774 MEDIUM POC PATCH THREAT This Month

server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Twitter Server
NVD GitHub
CVSS 3.1
5.4
EPSS
87.6%
CVE-2020-27645 HIGH This Week

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Client
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-27644 HIGH This Week

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Client
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-16268 HIGH This Week

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Client
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-29471 MEDIUM POC This Month

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencart
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
1.3%
CVE-2020-29470 MEDIUM POC This Month

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencart
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
1.7%
CVE-2020-29475 MEDIUM POC This Month

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Store
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-25847 HIGH This Week

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap Command Injection Qts Quts Hero
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-35735 MEDIUM POC This Month

Vidyo 02-09-/D allows clickjacking via the portal/ URI. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Vidyo
NVD GitHub
CVSS 3.1
4.7
EPSS
0.7%
CVE-2020-17533 HIGH PATCH This Week

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Accumulo
NVD
CVSS 3.1
8.1
EPSS
3.7%
CVE-2020-9207 HIGH This Week

There is an improper authentication vulnerability in some verisons of Huawei CloudEngine product. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Huawei Authentication Bypass Cloudengine 12800 Firmware Cloudengine 5800 Firmware Cloudengine 6800 Firmware +1
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-9223 HIGH This Week

There is a denial of service vulnerability in some Huawei smartphones. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Huawei Honor 20 Pro Firmware Princeton Al10D Firmware Yale L21A Firmware +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-9124 HIGH This Week

There is a memory leak vulnerability in some versions of Huawei CloudEngine product. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Cloudengine 12800 Firmware Cloudengine 5800 Firmware Cloudengine 6800 Firmware +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-9094 HIGH This Week

There is an out of bound read vulnerability in some verisons of Huawei CloudEngine product. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Huawei Information Disclosure Cloudengine 12800 Firmware +3
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-5807 HIGH This Week

An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Factorytalk Diagnostics
NVD
CVSS 3.1
7.5
EPSS
33.8%
CVE-2020-5802 HIGH This Week

An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Factorytalk Linx
NVD
CVSS 3.1
7.5
EPSS
38.8%
CVE-2020-5801 HIGH This Week

An attacker can craft and send an OpenNamespace message to port 4241 with valid session-id that triggers an unhandled exception in CFTLDManager::HandleRequest function in RnaDaSvr.dll, resulting in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Factorytalk Linx
NVD
CVSS 3.1
7.5
EPSS
25.2%
CVE-2020-26286 HIGH PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload PHP Hedgedoc
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-9125 MEDIUM This Month

There is an out-of-bound read vulnerability in huawei smartphone Mate 30 versions earlier than 10.1.0.156 (C00E155R7P2). Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Huawei Information Disclosure Mate 30 Firmware
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2020-27643 MEDIUM This Month

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Client
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-9208 MEDIUM This Month

There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Imanager Neteco 6000
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2020-9093 MEDIUM This Month

There is a use after free vulnerability in Taurus-AL00A versions 10.0.0.1(C00E1R1P1). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Denial Of Service Memory Corruption Taurus Al00A Firmware
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2020-1848 MEDIUM This Month

There is a resource management error vulnerability in Jackman-AL00D versions 8.2.0.185(C00R2P1). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Jackman Al00D Firmware
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2020-5806 MEDIUM This Month

An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest in messaging.dll. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Factorytalk Linx
NVD
CVSS 3.1
5.5
EPSS
4.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy